HP has acknowledged multiple vulnerabilities in HP System Management Homepage, which can be exploited by malicious people to conduct cross-site scripting attacks, cause a DoS (Denial of Service), and potentially compromise a vulnerable system.

1) Input passed to the "servercert" parameter in smhui/getuiinfo (when "JS" is set) is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) A vulnerability in Namazu can be exploited by malicious people to conduct cross-site scripting attacks.

For more information:
SA29386

3) A vulnerability in Libxml2 can be exploited by malicious people to potentially compromise an application.

For more information see vulnerability #1:
SA32773

4) A vulnerability in PHP can be exploited by malicious people to potentially compromise a vulnerable system.

For more information see vulnerability #6:
SA32964

5) A vulnerability in PHP can be exploited by malicious people to conduct cross-site scripting attacks.

For more information see vulnerability #1:
SA35108

6) Multiple vulnerabilities in OpenSSL DTLS can be exploited by malicious people to cause a DoS (Denial of Service).

For more information:
SA33338
SA35128

The vulnerabilities are reported in versions prior to 6.0.

Solution
Fixed in version 6.0.0.96 for Windows and version 6.0.0.95 for Linux.
Further details available to Secunia VIM customers

Provided and/or discovered by
1) Richard Brain of ProCheckUp Ltd

Changelog
Further details available to Secunia VIM customers

Original Advisory
ProCheckUp Ltd:
http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-15

HPSBMA02504 SSRT090220:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02000727

HPSBMA02492 SSRT100079:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02029444

Other references
Further details available to Secunia VIM customers

Deep Links
Links available to Secunia VIM customers